This post is about a simple vulnerability I discovered on AGS Cinemas which I could have used to hack into other users’ accounts easily and without any user interaction.

This gave me full access to other users account by setting a new password. I was able to view ticket history, their credit wallet, and other private information.

Suresh Kumar, the CEO of MacAppStudio (Technology partner for AGS Cinemas) acknowledged the issue promptly, fixed it. There are quite a few humble persons like him who would accept these kind of security bugs, because many would have confronted me on testing their site without their permission.

How the hack worked

Whenever a user Forgets their password on AGS Cinemas, they have an option to reset the password by entering their phone number on the forgot password popup.

AGS Cinemas will then send a 4 digit code to this phone number which the user has to enter in order to set a new password.

I tried to brute force the 4 digit code (eg. 3286) on www.agscinemas.com and wasn’t blocked after even 5-6 invalid attempts. Interestingly, rate limiting was missing from forgot password endpoint.

I tried to take over my own account and was successful in setting a new password for my account. I could then use this same password to log into my own hacked account.

A proof of concept video of the hack

As you can see in the video, I was able to set a new password for the user by brute forcing the code which was sent to their phone number.

POST /php/otpverify.php HTTP/1.1

Host: www.agscinemas.com

mobile=XXXXXXXXXX&randomnums=XXXX

Brute forcing the “randomnums” successfully allowed me to set new password for any AGS Cinemas account.

Disclosure Timeline

Feb 21st, 2018 : Bug was discovered.

Feb 22nd, 2018 : Report sent to MacAppStudio team.

Feb 23rd, 2018 : Acknowledged by CEO.

Feb 24th, 2018 : Issue resolved from their side.

Thanks for reading through 🙌🏼. If you found this article useful, please applaud using the 👏 button and share it through our circles.

A collection of write-ups from the best hackers in the…

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew